mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
mmvideo: check horizontal coordinate too
Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
parent
849b9d34c7
commit
70cd3b8e65
@ -154,6 +154,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
|
|||||||
int replace_array = bytestream2_get_byte(&s->gb);
|
int replace_array = bytestream2_get_byte(&s->gb);
|
||||||
for(j=0; j<8; j++) {
|
for(j=0; j<8; j++) {
|
||||||
int replace = (replace_array >> (7-j)) & 1;
|
int replace = (replace_array >> (7-j)) & 1;
|
||||||
|
if (x + half_horiz >= s->avctx->width)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
if (replace) {
|
if (replace) {
|
||||||
int color = bytestream2_get_byte(&data_ptr);
|
int color = bytestream2_get_byte(&data_ptr);
|
||||||
s->frame->data[0][y*s->frame->linesize[0] + x] = color;
|
s->frame->data[0][y*s->frame->linesize[0] + x] = color;
|
||||||
|
Loading…
Reference in New Issue
Block a user